Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

comp4_unit8b_lecture_slides

advertisement 
Introduction to Information and
Computer Science
Security
Lecture b
This material (Comp4_Unit8b) was developed by Oregon Health and Science University, funded by the Department of Health
and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015.
Security
Learning Objectives
• List and describe common security concerns (Lecture a)
• Describe safeguards against common security concerns
(Lecture b)
• Describe security concerns for wireless networks and
how to address them (Lectures b and c)
• List security concerns/regulations for health care
applications (Lecture c)
• Describe security safeguards used for health care
applications (Lecture c)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
2
Mitigating Security Issues
•
•
•
•
•
•
•
Security policy
User authentication
Firewalls
Antivirus software
Intrusion Protection Systems
Encrypt communications and stored data
Audit adherence to security policies
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
3
Security Policy
• Most policies contain provisions related to:
–
–
–
–
–
–
–
–
–
–
Security definition
Enforcement
User access to the network, devices, software, and data
Password management
Email and Internet use
Antivirus software
Backup and recovery
Intrusion detection
Auditing
Others
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
4
Authentication Factors - Proving
User Identity
• Something the user knows
– Username and password
• Something the user has
– Smartcards and employee badges
• Something that is a part of the user (biometrics)
– Fingerprints, retinal scans, etc.
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
5
Factor Authentication
• One-factor authentication
– Simplest authentication process
– Username and password needed
• Two-factor authentication
– Username and password needed
– Also need one of other authentication types
• Smartcard or fingerprint reader
• Three-factor authentication
– All three authentication types used
• Such as username/password and smartcard and fingerprint reader
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
6
Firewalls
• Software and/or hardware that blocks
unauthorized communications on computer
• Windows OS provides Windows Firewall
• Routers provide basic firewall protection
– Most ISP routers act as firewalls
• Inspects each piece of communication
• Permits or denies traffic based on rules
– For example, another user will not be able to connect to user’s
computer unless firewall is configured to allow communication
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
7
Windows Firewall Example
(PD-US, 2011)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
8
Antivirus (AV) Software
• Detects and removes malware
– Can also protect against adware and spyware
• Requires current virus pattern definitions
– Updates cost about $50/year
• Searches all computer files for virus signatures
• Monitors for malicious computer activity
– For example, if a running program attempts to
perform some odd action, the AV software will stop
and quarantine the program
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
9
Common Antivirus Software
Vendors
•
•
•
•
•
•
Avast! http://www.avast.com/index
AVG http://free.avg.com/us-en/homepage
HouseCall http://housecall.trendmicro.com/
Kaspersky http://usa.kaspersky.com/
McAfee http://www.mcafee.com/us/
Symantec http://www.symantec.com/index.jsp
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
10
Intrusion Protection Systems (IPS)
• Similar to firewall functionality–but more!
• Hardware and/or software that monitors all
network traffic for malicious activity
– Works to stop intrusions and alert network administrators
The Cisco Secure Intrusion
Detection System (formerly
NetRanger), is an enterprisescale, real-time, intrusion
detection system designed to
detect, report, and terminate
unauthorized activity throughout
a network.
Approximate cost: $700
(PD-US, 2011)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
11
Encryption
• Makes communication unreadable to
unauthorized viewers
– Uses electronic private and public key set
• Authorized viewers provided with encryption key,
with ability to encrypt and decrypt messages
– Medical office encrypts data using its private key
– Patient decrypts data using the medical office’s public
key
• Encryption keeps data confidential
– Entities never share their private key
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
12
Encryption Example
Encrypting a Microsoft
Excel 2010 document
makes the spreadsheet
unreadable to anyone who
tries to open it without the
encrypting password.
Any Microsoft Office file can
be encrypted (password
protected) in this way.
(PD-US, 2011)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
13
Encryption Example (continued)
Opening an encrypted document requires the
user to enter the password used to encrypt it.
(PD-US, 2011)
If the user does not enter the correct password, the encrypted document
cannot be opened. Entering the correct password allows the document to be
decrypted so that it can be viewed.
(PD-US, 2011)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
14
Encryption Example (continued)
(PD-US, 2011)
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Any file on a Windows-based PC can be
encrypted. To encrypt a document:
1. Create a new folder.
2. Right-click the folder and select Properties.
3. Click Advanced.
4. Click Encrypt contents to secure data.
All files placed in this folder will be encrypted.
Introduction to Information and Computer Science
Security
Lecture b
15
Audit Security Policy Practices
• Is organization doing what it says it will do?
– If nurses are to log off nursing stations when they
leave the station, is this being done?
– Is the database server kept up to date with critical
updates?
– Is all access of medical records logged?
– Are backups being done regularly and stored
according to the security policy?
– Do employees adhere to email policies?
– Others?
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
16
Additional Steps to Take...
• Educate employees
–
–
–
–
Don’t open unsolicited attachments
Users lock screens when not at station
Don’t click on popup ads while surfing
Report strange activity to network admins
• Create secure software applications
– Only authenticated and authorized use of software
– Non-repudiation of network actions
• Means that a user or device cannot deny having done
something
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
17
Additional Steps to Take...
• Use of password policies
–
–
–
–
Password complexity
Passwords changed regularly (60 days, etc.)
No reuse of old passwords
Passwords not written down anywhere
• Domain-based network environment
– Server manages users, devices, and policies
– No use of network assets unless part of domain
– Restricted number of network administrators
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
18
Additional Steps to Take...
• Physical security of assets
–
–
–
–
–
Servers bolted to floor/wall in locked room
No unauthorized physical access of equipment
Protect devices with passwords at all times
UPS and power surge equipment used
No access to data without authentication
• Validation of data entered into database
– All database entries validated before stored in
database
– Test for expected and unexpected database entries
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
19
Security
Summary – Lecture b
• Describe safeguards against common security
concerns
• Describe security concerns for wireless networks
and how to address them
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
20
Security
References – Lecture b
References
•
SANS. Information Security Policy Templates. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://www.sans.org/security-resources/policies.
•
GIAC. The Basics of an IT Security Policy. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://www.giac.org/certified_professionals/practicals/gsec/1863.php.
•
Wikipedia. Firewall (computing). [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Firewall_(computing).
•
Wikipedia. Antivirus software. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Antivirus_software.
•
Wikipedia. Malware. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Malware.
•
Wikipedia. Intrusion detection system. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Intrusion_detection_system.
•
IT Security. Create your own security audit. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://www.itsecurity.com/features/it-security-audit-010407/.
Images
Slide 11: Cisco Secure Intrusion Detection System [image on the Internet]. c2010 [cited 2011 Nov 07]. Available from:
http://www.google.com/products/catalog?q=Intrusion+detection+system&cid=3672983121990923567&ei=wPGHTJ
blBomeiwSew5nYAg&sa=title&ved=0CEEQ8wIwBTgA#p.
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Introduction to Information and Computer Science
Security
Lecture b
21
Related documents
PUBLIC SPEAKING: POSITIVE WAYS TO SELL YOURSELF
PUBLIC SPEAKING: POSITIVE WAYS TO SELL YOURSELF
HCL Ideathon_Sowjanya_Kanuri
HCL Ideathon_Sowjanya_Kanuri
Board Paper annual HR Update
Board Paper annual HR Update
Document
Document
Improving Performance through Workforce Development
Improving Performance through Workforce Development
Power Point on - CTE Technical Assistance Center of NY
Power Point on - CTE Technical Assistance Center of NY
comp4_unit9b_lecture_slides
comp4_unit9b_lecture_slides
Download
advertisement